A vulnerability within VBoxGuest module allows an attacker to
inject memory they control into an arbitrary location they
define. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently
calling NtQueryIntervalProfile.

3. Technical Description

A userland process can create a handle into the VBoxGuest device
and subsequently make DeviceIoControlFile() calls into that
device. During the IRP handler routine for 0x0022a040 the user
provided OutputBuffer address is not validated. This allows an
attacker to specify an arbitrary address and write (or overwrite)
the memory residing at the specified address. This is classicaly
known as a write-what-where vulnerability and has well known
exploitation methods associated with it.

A stack trace from our fuzzing can be seen below. In our fuzzing
testcase, the specified OutputBuffer in the DeviceIoControlFile()
call is 0xffff0000.

Reviewing the TRAP_FRAME at the time of crash we can see
IopCompleteRequest() copying data from InputBuffer into the
OutputBuffer. InputBuffer is another parameter provided to the
DeviceIoControlFile() function and is therefore controllable by
the attacker. The edi register contains the invalid address
provided during the fuzz testcase.

A write-what-where vulnerability can be leveraged to obtained
escalated privileges. To do so, an attacker will need to allocate
memory in userland that is populated with shellcode designed to
find the Token for PID 4 (System) and then overwrite the token
for its own process. By leveraging the vulnerability it is then
possible to overwrite the pointer at HalDispatchTable+0x4 with a
pointer to our shellcode. Calling NtQueryIntervalProfile() will
subsequently call HalDispatchTable+0x4, execute our shellcode,
and elevate the privilege of the exploit process.

4. Mitigation and Remediation Recommendation

The vendor has patched this vulnerability. The patch information
is here:
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htm
l

5. Credit

This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.

6. Disclosure Timeline

04.28.14 - KoreLogic contacts Oracle with vulnerability report and PoC.
04.29.14 - Oracle acknowledges receipt of vulnerability report and PoC.
05.02.14 - Oracle assigns tracking to this vulnerability report
and states that it will be patched in the CPU cycle,
with credit for the report given to KoreLogic. Oracle
also states monthly updates will be provided.
05.22.14 - Oracle provides KoreLogic with status update
indicating the vulnerability will be patched in an
upcoming CPU and states that they will publicly
acknowledge KoreLogic in the associated public
bulletin.
06.11.14 - KoreLogic informs Oracle that 30 days have passed
since vendor acknowledgement of the initial report.
KoreLogic requests CVE number for the vulnerability,
if there is one. KoreLogic also requests vendor's
public identifier for the vulnerability along with the
expected disclosure date.
06.11.14 - Oracle responds with CVE number, expected release date
of 07.15.14 and public identifier (CVE number).
06.24.14 - Oracle provides status update.
07.02.14 - 45 business days have elapsed since vendor
acknowledged vulnerability.
07.11.14 - Oracle provides expected CPU release time.
07.15.14 - Coordinated public release of vulnerability and vendor
patch.

The contents of this advisory are copyright(c) 2014 KoreLogic, Inc.
and are licensed under a Creative Commons Attribution Share-Alike 4.0
(United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven
track record of providing security services to entities ranging from
Fortune 500 to small and mid-sized companies. We are a highly skilled
team of senior security consultants doing by-hand security assessments
for the most important networks in the U.S. and around the world. We
are also developers of various tools and resources aimed at helping
the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v
1.0.txt